Gallery: how the surveillance industry markets spyware to governments

The latest Wikileaks dump offers a look at the slide presentations and …

A collection of documents recently published by Wikileaks casts a light on surveillance vendors who sell intrusive monitoring technology to governments and law enforcement agencies. This growing industry—which serves countries around the world—offers the ability to monitor entire populations and circumvent the privacy and security safeguards built into conventional consumer technology.

In our report last week, we highlighted DigiTask, a German company that sells malware for law enforcement investigations. The company's marketing materials says that its software, which is deployed through zero day exploits, can intercept encryption keys to provide law enforcement agents with access to encrypted communications. DigiTask is just one of the many vendors who produce such software. In this article, we will give you a brief look at some of the marketing material that was included in the Wikileaks Spy Files.

Paladion

Paladion, which describes itself as "the fastest growing information security company" in Asia, sells monitoring and filtering tools to corporations, law enforcement agencies, and governments.

One of the Paladion products is an "SSL Interception and Decryption System" that is designed to snoop on encrypted communications. The company's marketing material explicitly advertises it as a tool for executing covert man-in-the-middle attacks against surveillance targets. The brochure also specifically highlights the system's ability to track encrypted banking transactions and GMail communication.

Paladion brochure: an overview of the company's SSL interception system

Paladion brochure: a diagram explaining how the company's SSL intercept system works

Paladion also sells a "link analysis" tool that digs through a surveillance target's communications in order to identify friends and associates. It can then extend its monitoring to the associated parties in order to perform analysis of communications across an entire group. It can compute the degree of separation between individuals and identify "anchor" individuals who connect various parties in a group.

According to the Paladion brochure, the link analysis tool is compatible with the company's Internet Monitoring System (IMS), a surveillance framework that can scale up to provide governments with nationwide monitoring. Paladion's IMS offers proactive detection of "new targets" based on analysis of potentially suspicious activity. The brochure touts the system's capacity for "mass scale" real-time analysis and long-term storage for "deep intelligence gathering" via data mining.

HackingTeam

HackingTeam is an Italian surveillance company that sells "offensive security" solutions to law enforcement agencies "in all five continents." Unlike some of the more secretive companies whose products were outed by Wikileaks, HackingTeam doesn't hide its marketing material or label it confidential. The HackingTeam promotional video published by Wikileaks can also be found on the company's own website.

One product marketed by HackingTeam is the Remote Control System, malware that infects computers and smartphones in order to enable covert surveillance. The company says that its trojan can intercept encrypted communication, including Skype voice calls. They prominently advertise the fact that the malware can be installed remotely. They say that it can scale up to monitor "hundreds of thousands of targets" and is capable of being deployed to Apple, Android, Symbian, and Blackberry mobile devices.

A slide from a HackingTeam video about the Remote Control System

A slide from a HackingTeam video about the Remote Control System

Slide describing how HackingTeam's Remote Control System can be remotely deployed

Slide describing some of the interception capabilities of HackingTeam's Remote Control System

Marketing material about HackingTeam's Remote Control System

VUPEN

VUPEN is a well-known security firm based in France that specializes in vulnerability research. They detect security flaws in software in order to provide companies with proactive protection against zero-day exploits. The company is very active in the security community and received international attention earlier this year when it took a swift victory in the pwn2own contest by impressively compromising a 64-bit version of Safari.

One of VUPEN's services is selling new zero-day exploits to intelligence and law enforcement agencies for use in surveillance. They offer the service on a subscription basis, providing governments with continuous access to new undocumented vulnerabilities and sample exploit code that can be used by investigators for "covertly and remotely installing" surveillance malware on computers and smartphones.

A VUPEN brochure describes the company's zero-day exploit subscription service

According to the company's brochure, the code they provide is crafted with the aim of "defeating modern exploit mitigation technologies." For an idea of what that means, the document quotes the company's CEO addressing the value of empowering law enforcement agencies with the ability to "bypass Antivirus products and modern operating system protections such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR)."

The company is selective about who can sign up to receive exploit code and requires recipients to commit to non-disclosure agreements. They say that they will only provide the service to legitimate government agencies that meet strict criteria. They will not serve countries that are subject to international embargoes.

Wow. If this is the state of commercial software, one can only imagine what is being done by state-sponsored hacker teams.

The case of VUPEN is an interesting one: they discover a new zero-day exploit. What do they do: sell it to law enforcement, or sell protection against it to their customers? What bags them the most money?

I think there's lots of opportunity for self-embarrassment pursuing these offers. Suppose some of this X-linked malware is discovered leaking its way into big corporate files or cloud accounts or even government accounts? Suppose that, after the fact, someone finds it, tracks it down, and blows a whistle, revealing a link that people don't want revealed?

I think it's a dumb idea, and offers plenty of opportunity for injuring yourself.

Just because something is technically possible, it doesn't mean it's a good way to go.

Why would law enforcement need something like this? Under the policy of checks and balances, aren't they supposed to be getting a warrant and serving that against the likes of GMail and Skype, to obtain these communications? Any "law enforcement" agency that can't obtain the communications from the service provider, is clearly operating illegally.

I like how discovering and leaking this stuff is super illegal. But actually doing the stuff is not.

What I like is how even though its evil and horrible I am required by law to pay for government to spy on me. Every f-ed up thing that governments do to their own citizens is bought and paid for by the taxes taken, under threat, from the wages of those same citizens.

I wonder if full UAC gets around this sort of thing. That is, if every administrative escalation to install one of these requires a prompt with a password, is there a way for these fuckers to get around it?

There has been a rash of articles about this over the past week. Apparently someone managed to get into a convention where these products were being sold, and bring out lots of sales brochures to publish.

Which is all fine and dandy, but what I'd like to know is: who is buying these products?

The difference between these guys and black-hat hackers is the slide package, and I'm okay with that. Anyone who thinks you can bring a knife to a gunfight is pretty quickly out of business, often at the hands of the people they're trying to target (remember HB Gary?).

Am I wrong to be skeptical of these presentations?The claims seem rather impressive... *too impressive*... such as a remote control system that can run on anything anywhere.Wondering if this stuff is half baked.

Why would law enforcement need something like this? Under the policy of checks and balances, aren't they supposed to be getting a warrant and serving that against the likes of GMail and Skype, to obtain these communications? Any "law enforcement" agency that can't obtain the communications from the service provider, is clearly operating illegally.

Good point. I'd think this is intended to go around full-disk encryption and the like. According to http://www.schneier.com/blog/archives/2 ... encry.html, full-disk encryption is actually hampering police forensic analysis. Much easier to plant malware and get the password surreptitiously.

And this is not only sold to the US government, you know. Don't think Google would honor a request from the Iranian government.

Oversimplification: sort of hard to imagine, of course, an encryption method unbreakable by, at least, the people who created it... And its being "illegal" (or, what the heck, even "immoral" or, heh, heh, "evil") hasn't kept it from being _done_, ever. Ben Franklin said a couple hundred years ago that 3 can keep a secret if 2 are dead.

I'm disgusted as well, except I believe that the only ethical action to take when discovering a software exploit is that of publishing it for the world to see.

The idea that there exists a legitimate need for such an industry is akin to an apathetic admission of defeat of democracy. (In my opinion, that is)

Your comment is the quote of my day. It's kinda sad to know there exists an industry working on exploits/vulnerabilities and to thrive, they require the need for constant distrust between humans and concealment of knowledge.

People are awfully quick to assume that the gov is using it to spy on its own citizens without a warrant. We have a whole agency (CIA) whos whole purpose is to break the law in different countries. Almost every country in the world has anti-espionage laws, and we have spies in almost all of those countries. If they are breaking the law I'd hope they are using state of the art products to do it. Just as I hope that in the U.S. they are not spying on their own citizens without a warrant. I'd be much more worried if the leaked documents were showing invoices to local police stations and such. All this shows is that there are companies out there selling these goods. Which I'm assuming most people aren't exceptionally surprised about. Blackhats have been using things like this for years.

I'm very interested in if and how this stuff is licensed. Being blatantly designed to circumvent digital security, surely this runs afoul of the DMCA and similar legislation. Certainly in private hands, this has got to be illegal (it's obviously leagues ahead of headline grabbers like Locationgate, CarrierIQ and the like) and anywhere democratic would be subject to warrants. Which leaves a whole lot of nasty people as the only real viable market.

Like the weapons industry, you have to be some seriously miserable piece of **** to want to make your living do this. But, on the upside, the travel perks to Syria and Iran must be fun.

"A collection of documents recently published by Wikileaks casts a light on surveillance vendors who sell intrusive monitoring technology to governments and law enforcement agencies" and mobile device owners see I told u you were a human wikileaks konane you didn't believe me

I'm more concerned about the SSL MITM products than anything else. Where are governments getting the private keys that these tools would need to let them impersonate e.g. Google? Either: 1) They simply demand them outright from companies and CA's, or 2) They're paying people to break into companies and CA's to acquire them.

What might really bake some noodles is considering that most AV software never lets you know what botnet / C&C / etc. to which you were connected when malware is removed. Such information is not terribly difficult to find, particularly given the current prevalence of AV with integrated firewalls.

I really am surprised by the amount of shock and disgust that people are showing in the comments - I had kind of assumed that this kind of thing was common knowledge. Whilst you don't normally see presentations and the like with all their marketing spiel, it isn't hard to dig up other information on such products and services.

If a level of encryption or security exists - there is pretty much always a known exploit, or accepted amount of time within which it can be decrypted. If there isn't then it likely would never make it to becoming a commercial product, and we certainly wouldn't be allowed to use it (as the general public).

Is it unethical people make money off such things? Probably. But such things are also probably needed to get critical information, and I am sure that software and services like the above have saved lives, stopped events or captured criminals that the general public will never know about.

Too many people take this type of thing personally, without looking at the bigger picture of why it might be required. Some of it is impressive stuff as well though - as someone else mentioned I would love to know how the SSL products work, given how secure the private/public key cleverness involved.

The idea that there exists a legitimate need for such an industry is akin to an apathetic admission of defeat of democracy. (In my opinion, that is)

I completely agree. The article made me think of a scene from the movie The Lives of Others - the antagonist turned protagonist is employed by the STASI intelligence agency during the DDR-times - he is set to work opening citizens' private letters with a created-for-that-particular-purpose steam letter-opener.

The oppresiveness of the East German regime couldn't have been illustrated better, and yet it is precisely the same thing happening here.

Is it unethical people make money off such things? Probably. But such things are also probably needed to get critical information, and I am sure that software and services like the above have saved lives, stopped events or captured criminals that the general public will never know about.

I am also sure that software and services like the above has stopped events that the general public will never know about.

jimbonbon wrote:

Too many people take this type of thing personally, without looking at the bigger picture of why it might be required.

Yeah, you can't make an omelette without breaking eggs.

Only downside is, with arguments like these you can justify absolutely anything.

I really am surprised by the amount of shock and disgust that people are showing in the comments - I had kind of assumed that this kind of thing was common knowledge. Whilst you don't normally see presentations and the like with all their marketing spiel, it isn't hard to dig up other information on such products and services.

If a level of encryption or security exists - there is pretty much always a known exploit, or accepted amount of time within which it can be decrypted. If there isn't then it likely would never make it to becoming a commercial product, and we certainly wouldn't be allowed to use it (as the general public).

Is it unethical people make money off such things? Probably. But such things are also probably needed to get critical information, and I am sure that software and services like the above have saved lives, stopped events or captured criminals that the general public will never know about.

Too many people take this type of thing personally, without looking at the bigger picture of why it might be required. Some of it is impressive stuff as well though - as someone else mentioned I would love to know how the SSL products work, given how secure the private/public key cleverness involved.

I'm not sure that is the issue most people are bothered by here.

My own perspective is this: I'm completely fine frankly with the CIA or FBI having access to such tools. I'm not nearly as tolerant that such tools are being advertised to law enforcement as a whole or that such technology would be openly exportable even to friendly nations. I'm more accepting if we were sharing such tech with allies but under a variety of strict NDA and usage agreements.

Most of us are not so tinfoil hat-ish that we worry about the above mentioned agencies having such tools. We're downright terrified of what lesser educated, skilled and regulated state and municipal police would do with such tools. As I stated in the last article here regarding such tech, various municipal police have already proven themselves highly abusive of such technology with regards to cell phone tracking and scanners.

"Who guards the guardians?" 2000 years ago the Romans pinpointed the problem (probably not the first ones to do so, but Latin is wonderfully succinct for this sort of thing).

The Western democratic solution: Yes, state agencies have leave to "break the law" at times; but only in ways and circumstances that are strongly controlled, i.e., search warrants, court orders, oversight committees that are cleared for classified info (politicians tend to leak), etc. In other words, their "lawbreaking" is itself regulated by laws. And compliance with THOSE laws must be monitored and enforced.

As long as the system itself is reasonable transparent and honest, this actually works. I wonder how many of the people who complain about corruption etc in the U.S. have ever tried to live in a for-real, corrupt state and get anything done there (Pakistan? Russia?), let alone a dictatorship. You have NO idea of what that is like, absolutely none.

But, there is a slippery slope, and a state (any state) remains honest only when under constant pressure by its citizens, not least the press. To be effective, such oversight and pressure needs to be intelligent and considered, not "everything sucks and they're all dishonest anyway"; that brings only loss and no gain.

And there are few alternatives - because if police and intelligence agencies never could do things like wiretapping or covert comms intercepts, real villains would commit real crimes and get away with them. And where there is a need, there is a market, so you will have people, either employed by the state or by compaines that have state customers, who do the code-breaking/exploits/intercepts. So the relevant question is one of oversight and accountability, not whether to do it at all.

Why would law enforcement need something like this? Under the policy of checks and balances, aren't they supposed to be getting a warrant and serving that against the likes of GMail and Skype, to obtain these communications? Any "law enforcement" agency that can't obtain the communications from the service provider, is clearly operating illegally.

Perhaps that is the case in your country. I'm guessing you must be American since you assume that the rules that apply to you are the same for everyone in the world.